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DETAILED ACTION 

Response to Amendment 

1 . This communication is in response to the Amendment filed 1 7 June 2008. 

2. Claims 1, 5-16 and 20-30 are currently pending. In the Amendment filed 17 June 
2008, claims 1 and 16 are amended and claims 1, 2-4, 17-19 and 31 are canceled. 
This action is made Final. 



Claim Objections 

3. Claim 20 is objected to because the claim is dependent on claim 17, which has 
been canceled. Appropriate correction is required. 



Specification 

4. The objection to the specification has been withdrawn as necessitated by 
applicant's amendment. 



Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

6. This application currently names joint inventors. In considering patentability of 



the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of 
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the various claims was commonly owned at the time any inventions covered therein 
were made absent any evidence to the contrary. Applicant is advised of the obligation 
under 37 CFR 1 .56 to point out the inventor and invention dates of each claim that was 
not commonly owned at the time a later invention was made in order for the examiner to 
consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) 
prior art under 35 U.S.C. 1 03(a). 

7. Claims 1, 5, 6, 9, 12, 16, 20, 21, 24 and 27 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over US PGPub 2002/0161763 to Ye et al (hereafter Ye) in 
view of US PGPub 2002/0107858 to Lundahl et al (hereafter Lundahl) in view of US 
Patent No 7,227,985 to Ikeda et al (hereafter Ikeda). 

Referring to claim 1, Ye discloses a method for monitoring abnormalities in a 
data stream (see abstract and [0030]), comprising the steps of: 

receiving a plurality of objects in the data stream [stream of data] (see [0035], 
lines 5-8); 

creating one or more clusters from the plurality of objects (see [0035], lines 10- 
1 3), wherein at least a portion of each of the one or more clusters comprises statistical 
data [sample variance, sample covariance and sample mean] representative of the 
respective cluster (see [0041]); 

wherein the step of creating one or more clusters further comprises: 

computing one or more similarity values for a given object relating to one 

or more existing clusters (Ye: see [0157]-[0162]); and 
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determining a closest cluster for the object based on the one or more 
similarity values (Ye: see [0163]). 

determining whether the similarity value for the object relating to the 
closest cluster is greater than a threshold (Ye: see [0173]); 

responsive to the determination that the similarity value is greater than the 
threshold, adding the object to the closest cluster when determined and updating 
the statistical data of the closest cluster (Ye: see [0041]-[0042]); and 

responsive to a determination that the similarity value is not greater than 
the threshold, determining whether there is at least one cluster to which no object 
has been added within a given period of time (Ye: see [0041]-[0042]); 

responsive to a determination that there is no cluster to which at least no 
object has been added within the given period of time, adding the object to the 
closest cluster and updating the statistical data of the closest cluster (Ye: see 
[0041]-[0042]); and 

responsive to a determination that there is at least one cluster to which no 
object has been added within the given period of time, replacing the cluster to 
which no object has been added within the longest period of time with a new 
cluster comprising the object and generating statistical data of the new cluster 
(Ye: see [0041]-[0042]). 

Ye discloses clustering objects and determining if an object is abnormal 
compared to a distance value (see [0157]-[0170]), however, Ye fails to explicitly 
disclose the further limitations of determining from the statistical data whether each of 
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the one or more clusters is abnormal when compared to a predefined value and 
reporting at least one of the one or more clusters as an abnormal cluster of objects in 
the data stream. Lundahl discloses performing cluster analysis on data in order to 
segment data into appropriate clusters for subsequent processing (see [0010], lines 5- 
8), including the further limitations of determining from the statistical data whether each 
of the one or more clusters is abnormal (see [0217]); and reporting [classifying] at least 
one of the one or more clusters as an abnormal cluster of objects in the data stream 
(see [0217]) in order to improve the capability of an intrusion detection algorithm to be 
scalable and efficient in the handling data in real-time systems. 

It would have been obvious to one of ordinary skill in the art to use the features of 
determining whether an entire cluster is abnormal and reporting that abnormality as 
disclosed by Lundahl using the statistical data determined by Ye. One would have been 
motivated to do so in order to improve the capability of an intrusion detection algorithm 
to be scalable and efficient in the handling data in real-time systems (Ye: see [0010], 
lines 6-8). 

The combination of Ye and Lundahl (hereafter Ye/Lundahl) fails to explicitly 
disclose the further limitation wherein the statistical data comprises a time-sensitive 
weight for each of the plurality of objects in each of the one or more clusters, the time- 
sensitive weight having a value that decreases at a specified rate such that more 
recently received objects are assigned a higher priority, and wherein the one or more 
clusters are condensed for maintenance at a high level of granularity as one or more 
cluster droplets and wherein a cluster is abnormal when no objects in the data stream 
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are added to the cluster prior to the time-sensitive weights of the cluster decreasing to a 
predefined value. Ikeda discloses clustering data objects (see abstract), including the 
further limitation wherein the statistical data comprises a time-sensitive weight for each 
of the plurality of objects in each of the one or more clusters, the time-sensitive weight 
having a value that decreases at a specified rate such that more recently received 
objects are assigned a higher priority, and wherein the one or more clusters are 
condensed for maintenance at a high level of granularity as one or more cluster droplets 
(see column 1 , line 47 - column 2, line 29) and wherein a cluster is abnormal when no 
objects in the data stream are added to the cluster prior to the time-sensitive weights of 
the cluster decreasing to a predefined value [cluster removal threshold value] (see 
column 5, lines 43-48). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to utilize the concept of applying time-sensitive weights as 
disclosed by Ikeda to each of the data objects of Ye/Lundahl. One would have been 
motivated to do so in order to increase the accuracy of insuring that the most current 
data is being utilized to detect abnormalities in a data stream. 

Referring to claim 2, the combination of Ye/Lundahl and Ikeda (hereafter 
Ye/Lundahl/lkeda) discloses the method of claim 1 , wherein the step of creating one or 
more clusters further comprises: 

computing one or more similarity values for a given object relating to one or more 
existing clusters (Ye: see [0157]-[0162]); and 
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determining a closest cluster for the object based on the one or more similarity 
values (Ye: see [0163]). 

Referring to claim 3, Ye/Lundahl/lkeda discloses the method of claim 2, further 
comprising the steps of: 

determining whether to add the object to the closest cluster (Ye: see [0157- 
[0163]); 

adding the object to the closest cluster when determined and updating the 
statistical data of the closest cluster (Ye: see [0041]-[0042]); and 

creating a new cluster comprising the object when the object is not added to the 
closest cluster (see column 13, lines 31-35), and generating statistical data of the new 
cluster ( see column 9, lines 4-14 and column 14, lines 53 - column 15, line 2). 

Referring to claim 5, Ye/Lundahl/lkeda discloses the method of claim 1 , wherein 
the step of determining from the statistical data whether each of the one or more 
clusters is abnormal further comprises the steps of: 

determining which clusters present at a first time were not present at a second 
time, wherein the second time is before the first time; determining which of the clusters, 
present at the first time and not present at the second time, contain fewer than a user- 
defined number of objects; and reporting clusters with fewer than the user-defined 
number of objects as abnormalities (Lundahl: see [0217]). 

Referring to claim 6, Ye/Lundahl/lkeda discloses the method of claim 1 , wherein 
the statistical data of each cluster is stored using an incremental updating process (Ye: 
see [0154], lines 8-15). 
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Referring to claim 9, Ye/Lundahl/lkeda discloses the method of claim 1 , wherein 
the statistical data of each cluster comprises a number of objects [number of data 
points] in each cluster (Ye: see [0154], lines 9-13). 

Referring to claim 11, Ye/Lundahl/lkeda discloses the method of claim 1, 
wherein the step of creating one or more clusters further comprises the step of applying 
one or more weights to one or more attributes (Ye: see [0174]). 

Referring to claim 12, Ye/Lundahl/lkeda discloses the method of claim 1, 
wherein abnormalities comprise intrusions in a network (Ye: see [0030], lines 10-17). 

Referring to claim 16, Ye discloses an apparatus for monitoring abnormalities in 
a data stream (see abstract and [0030]), comprising: 

a memory (digital storage medium) (see [0026] and Fig 1); and 

at least one processor [computer system] coupled [network] to a memory and 
operative to: 

(i) receive a plurality of objects in the data stream [stream of data] (see 
[0035], lines 5-8) and 

(ii) create one or more clusters from the plurality of objects (see [0035], 
lines 10-13), wherein at least a portion of the one or more clusters comprise 
statistical data [sample variance, sample covariance and sample mean] of the 
respective cluster (see [0041]). 

wherein the step of creating one or more clusters further comprises: 

computing one or more similarity values for a given object relating to one 
or more existing clusters (Ye: see [0157]-[0162]); and 
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determining a closest cluster for the object based on the one or more 
similarity values (Ye: see [0163]). 

determining whether the similarity value for the object relating to the 
closest cluster is greater than a threshold (Ye: see [0173]); 

responsive to the determination that the similarity value is greater than the 
threshold, adding the object to the closest cluster when determined and updating 
the statistical data of the closest cluster (Ye: see [0041]-[0042]); and 

responsive to a determination that the similarity value is not greater than 
the threshold, determining whether there is at least one cluster to which no object 
has been added within a given period of time (Ye: see [0041]-[0042]); 

responsive to a determination that there is no cluster to which at least no 
object has been added within the given period of time, adding the object to the 
closest cluster and updating the statistical data of the closest cluster (Ye: see 
[0041]-[0042]); and 

responsive to a determination that there is at least one cluster to which no 
object has been added within the given period of time, replacing the cluster to 
which no object has been added within the longest period of time with a new 
cluster comprising the object and generating statistical data of the new cluster 
(Ye: see [0041]-[0042]). 

Ye discloses clustering objects and determining if an object is abnormal 
compared to a distance value (see [0157]-[0170]), however, Ye fails to explicitly 
disclose the further limitation of (iii) determine from the statistical data whether each of 
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the one or more clusters is abnormal when compared to a predefined value. Lundahl 
discloses performing cluster analysis on data in order to segment data into appropriate 
clusters for subsequent processing (see [0010], lines 5-8), including the further limitation 
of (iii) determine from the statistical data whether each of the one or more clusters is 
abnormal when compared to a predefined value (see [0217]) in order to improve the 
capability of an intrusion detection algorithm to be scalable and efficient in the handling 
data in real-time systems. 

It would have been obvious to one of ordinary skill in the art to use the feature of 
determining whether an entire cluster is abnormal and as disclosed by Lundahl using 
the statistical data determined by Ye. One would have been motivated to do so in order 
to improve the capability of an intrusion detection algorithm to be scalable and efficient 
in the handling data in real-time systems (Ye: see [0010], lines 6-8). 

The combination of Ye and Lundahl (hereafter Ye/Lundahl) fails to explicitly 
disclose the further limitation wherein the statistical data comprises a time-sensitive 
weight for each of the plurality of objects in each of the one or more clusters, the time- 
sensitive weight having a value that decreases at a specified rate such that more 
recently received objects are assigned a higher priority, and wherein the one or more 
clusters are condensed for maintenance at a high level of granularity as one or more 
cluster droplets and wherein a cluster is abnormal when no objects in the data stream 
are added to the cluster prior to the time-sensitive weights of the cluster decreasing to a 
predefined value. Ikeda discloses clustering data objects (see abstract), including the 
further limitation wherein the statistical data comprises a time-sensitive weight for each 
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of the plurality of objects in each of the one or more clusters, the time-sensitive weight 
having a value that decreases at a specified rate such that more recently received 
objects are assigned a higher priority, and wherein the one or more clusters are 
condensed for maintenance at a high level of granularity as one or more cluster droplets 
(see column 1 , line 47 - column 2, line 29) and wherein a cluster is abnormal when no 
objects in the data stream are added to the cluster prior to the time-sensitive weights of 
the cluster decreasing to a predefined value [cluster removal threshold value] (see 
column 5, lines 43-48). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to utilize the concept of applying time-sensitive weights as 
disclosed by Ikeda to each of the data objects of Ye/Lundahl. One would have been 
motivated to do so in order to increase the accuracy of insuring that the most current 
data is being utilized to detect abnormalities in a data stream. 

Referring to claim 20, Ye/Lundahl/lkeda discloses the apparatus of claim 17, 
wherein the operation of determining from the statistical data whether each of the one or 
more clusters is abnormal further comprises: 

determining which clusters present at a first time were not present at a second 
time, wherein the second time is before the first time; determining which of the clusters, 
present at the first time and not present at the second time, contain fewer than a user- 
defined number of objects; and reporting clusters with fewer than the user-defined 
number of objects as abnormalities (Lundahl: see [0217]). 
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Referring to claim 21, Ye/Lundahl/lkeda discloses the apparatus of claim 16, 
wherein the statistical data of each cluster is stored using an incremental updating 
process (Ye: see [0154], lines 8-15). 

Referring to claim 24, Ye/Lundahl/lkeda discloses the apparatus of claim 16, 
wherein the statistical data of each cluster comprises a number of objects [number of 
data points] in each cluster (Ye: see [0154], lines 9-13). 

Referring to claim 26, Ye/Lundahl/lkeda discloses the apparatus of claim 16, 
wherein the operation of creating one or more clusters further comprises the step of 
applying one or more weights to one or more attributes (Ye: see [0174]). 

Referring to claim 27, Ye/Lundahl/lkeda discloses the apparatus of claim 16, 
wherein abnormalities comprise intrusions in a network (Ye: see [0030], lines 10-17). 

8. Claims 7, 10, 22 and 25 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over US PGPub 2002/0161763 to Ye et al in view of US PGPub 
2002/0107858 to Lundahl et al in view of US Patent No 7,227,985 to Ikeda et al as 
applied respectively to claims 1 and 16 above, and further in view of US Patent No 
6,625,585 to MacCuish et al (hereafter MacCuish et al). 

Referring to claim 7, Ye/Lundahl/lkeda discloses statistical data. However, 
Ye/Lundahl/lkeda fails to explicitly disclose the further limitation wherein the statistical 
data of each cluster comprises one or more statistical counts of each pairwise attribute. 
MacCuish et al disclose clustering data (see abstract) including the further limitation 
wherein the statistical data of each cluster comprises one or more statistical counts of 
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each pairwise attribute (see column 14, lines 44-62) so in order to improve the accuracy 
of calculating the similarity of the clusters. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to utilize pairwise attributes of MacCuish et al as the type of 
statistical data utilized by Ye/Lundahl/lkeda. One would have been motivated to do so 
in order to improve the accuracy of calculating the similarity of the clusters. 

Referring to claim 10, Ye/Lundahl/lkeda discloses statistical data. However, 
Ye/Lundahl/lkeda fails to explicitly disclose the further limitation wherein the statistical 
data is stored periodically at intervals chosen based on a pyramidal distribution. 
MacCuish et al disclose clustering data (see abstract) including the further limitation 
wherein the statistical data is stored periodically at intervals chosen based on a 
pyramidal distribution (see column 14, lines 27-29) since the data being clustered is 
being transmitted in a stream which means that new data is constantly being clustered 
and clustering at a periodic interval decreases utilized system resources. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to utilize the feature of periodically storing the statistics of 
MacCuish et al as the type of statistical data utilized by Ye/Lundahl/lkeda. One would 
have been motivated to do so since the data being clustered is being transmitted in a 
stream, which means that new data is constantly being clustered and clustering at a 
periodic interval decreases utilized system resources. 

Referring to claim 22, the claim is rejected on the same grounds as claim 7. 

Referring to claim 25, the claim is rejected on the same grounds as claim 10. 
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9. Claims 8, 13-15, 23 and 28-30 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over US PGPub 2002/0161763 to Ye et al in view of US PGPub 
2002/0107858 to Lundahl et al in view of US Patent No 7,227,985 to Ikeda et al as 
applied respectively to claims 1 and 16 above, and further in view of US PGPub 
2004/0098617 to Sekar (hereafter Sekar). 

Referring to claim 8, Ye/Lundahl/lkeda discloses statistical data of each cluster. 
However, Ye/Lundahl/lkeda fails to explicitly disclose the further limitation wherein the 
statistical data of each cluster comprises one or more statistical counts of each 
categorical attribute. Sekar discloses statistical data, including the further limitation 
wherein the statistical data of each cluster comprises one or more statistical counts of 
each categorical attribute (Sekar: see [0088], lines 1-7) in order to increase the speed 
and efficiency at which intrusions can be detected in a large sample of data. 

It would have been obvious to one of ordinary skill in the art to use the statistical 
counts of Sekar as additional data to the statistical data Ye/Lundahl/lkeda. One would 
have been motivated to do so in order to increase the speed and efficiency at which 
intrusions can be detected in a large sample of data. 

Referring to claim 13, Ye/Lundahl/lkeda discloses abnormalities, which 
represent intrusions in a network. However, Ye/Lundahl/lkeda fail to explicitly disclose 
the further limitation of wherein the step of receiving a plurality of objects further 
comprises the step of collecting source IP (Internet Protocol) address data, destination 
IP address data and signature data. Sekar discloses determining abnormalities in data, 
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wherein abnormalities comprise intrusions in a network (see abstract), including the 
further limitation of a step of receiving a plurality of objects which comprises a step of 
collecting source IP (Internet Protocol) address data [source address], destination IP 
address data [destination address] and signature data (see column 5, line 34 and line 
45) in order to increase the speed and efficiency at which intrusions can be detected in 
a large sample of data. 

It would have been obvious to one of ordinary skill in the art to use the IP 
address and signature data collected by Sekar with the data of Ye/Lundahl/lkeda in 
order to determine the intrusions in a network. One would have been motivated to do 
so in order to increase the speed and efficiency at which intrusions can be detected in a 
large sample of data. 

Referring to claim 14, Ye/Lundahl/lkeda discloses abnormalities, which 
represent intrusions in a network and the step of clustering data. However, 
Ye/Lundahl/lkeda fail to explicitly disclose the further limitation of wherein the step of 
creating one or more clusters further comprises the step of clustering source IP address 
data, destination IP address data and signature data. Sekar discloses determining 
abnormalities in data, wherein abnormalities comprise intrusions in a network (see 
abstract), including collecting source IP (Internet Protocol) address data [source 
address], destination IP address data [destination address] and signature data (see 
column 5, line 34 and line 45) in order to increase the speed and efficiency at which 
intrusions can be detected in a large sample of data. 
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It would have been obvious to one of ordinary skill in the art to use the IP 
address and signature data collected by Sekar as the data being clustered by 
Ye/Lundahl/lkeda. One would have been motivated to do so in order to increase the 
speed and efficiency at which intrusions can be detected in a large sample of data. 

Referring to claim 15, Ye/Lundahl/lkeda discloses abnormalities, which 
represent intrusions in a network and the step of determining from statistical data 
whether abnormalities exist. However, Ye/Lundahl/lkeda fail to explicitly disclose the 
further limitation of wherein the step of determining from the statistical data whether 
each of the one or more clusters is abnormal comprises the step of detecting one or 
more intrusions from statistical data of source IP address data, destination IP address 
data and signature data. Sekar discloses determining abnormalities in data, wherein 
abnormalities comprise intrusions in a network (see abstract), including wherein the 
step of determining from the statistical data whether one or more abnormalities exist 
further comprises the step of detecting one or more intrusions from statistical data of 
source IP address data, destination IP address data and signature data (Sekar: see 
[0032]) in order to increase the speed and efficiency at which intrusions can be detected 
in a large sample of data. 

It would have been obvious to one of ordinary skill in the art to use the IP 
address and signature data collected by Sekar as the data being clustered by 
Ye/Lundahl/lkeda. One would have been motivated to do so in order to increase the 
speed and efficiency at which intrusions can be detected in a large sample of data. 

Referring to claim 23, the claim is rejected on the same grounds as claim 8. 



Application/Control Number: 10/801,420 Page 17 

Art Unit: 2167 

Referring to claim 28, the claim is rejected on the same grounds as claim 13. 
Referring to claim 29, the claim is rejected on the same grounds as claim 14. 
Referring to claim 30, the claim is rejected on the same grounds as claim 15. 

Response to Arguments 

1 0. Applicant's arguments with respect to the claims have been considered but are 
moot in view of the new ground(s) of rejection. 

Conclusion 

1 1 . Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See M PEP 

§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 
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number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
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